#Search for compromised user accounts:

GET /incidents/queries/incidents/v1?filter=alert.category:user_compromise

#Search for suspicious file activity:

GET /detects/queries/detects/v1?filter=detection_name:malware_file_activity

#Search for lateral movement and privilege escalation:

GET /detects/queries/detects/v1?filter=detection_name:lateral_movement

#Search for malicious PowerShell activity:

GET /detects/queries/detects/v1?filter=detection_name:malware_powershell_activity

#Search for compromised cloud instances:

GET /cloud-connect-aws/workload-instances/queries/workload-instances/v1?filter=instance_status:Compromised

#Search for indicators of compromise (IOCs):

GET /indicators/queries/detects/v1?filter=status:DETECTED

#Search for suspicious processes:

GET /detects/queries/detects/v1?filter=detection_name:malware_processes

#Search for suspicious network activity:

GET /detects/queries/detects/v1?filter=detection_name:malware_network_activity

#Search for new and unknown threats:

GET /detects/queries/detects/v1?filter=detection_name:unknown_threat

#Search for anomalies and behavioral indicators:

GET /detects/queries/indicators/v1?filter=behavioral_anomaly:true

#Search for suspicious PowerShell commands and scripts:

GET /detects/queries/detects/v1?filter=detection_name:powershell_command_and_script_activity

#Retrieving detections associated with a specific type of attack:

GET /detects/queries/detects/v1?filter=detection_name:ransomware

#Search for suspicious PowerShell activity:

GET /detects/queries/detects/v1?filter=detection_name:powershell_command_and_script_activity&filter=device_id:{{device_id}}

#Here is a single command that combines the previous commands to detect and prevent the use of network monitoring tools such as Wireshark, Burp Suite, and Nmap on a system using CrowdStrike Falcon:

deny process_name:nmap.exe or process_name:wireshark.exe or (process_name:java.exe and command_line:*burp*)

#Here's an example search query that you can use to detect the usage of some of the Active Directory enumeration tools mentioned in this conversation:

process_name:"powershell.exe" AND
(
    command_line:"BloodHound" OR
    command_line:"PowerView" OR
    command_line:"ADExplorer" OR
    command_line:"ldapdomaindump" OR
    command_line:"SharpHound" OR
    command_line:"CrackMapExec" OR
    command_line:"Empire" OR
    command_line:"Impacket" OR
    command_line:"Kerbrute" OR
    command_line:"Invoke-ACLPwn" OR
    command_line:"AdFind" OR
    command_line:"ADRecon" OR
    command_line:"Adversary" OR
    command_line:"NtdsAudit" OR
    command_line:"SpoolSample" OR
    command_line:"Seatbelt" OR
    command_line:"ADACLScanner" OR
    command_line:"Inveigh" OR
    command_line:"ADEnum" OR
    command_line:"SharpView"
)


#Suspicious PowerShell activity:
process_name:"powershell.exe" command_line:"(Get-WmiObject Win32_Process).CommandLine"

#Unusual network traffic:
network_protocol:"TCP" destination_port:(389 OR 3268 OR 3269 OR 53) -destination_address:"10.0.0.0/8"

#Unauthorized changes to Active Directory settings:
registry_key:"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" event_simple_name:"SetValue"

#Suspicious LDAP queries:
process_name:"lsass.exe" command_line:"ldap://*:*/*" -process_command_line:"DomainDnsZones" -process_command_line:"ForestDnsZones" -process_command_line:"Schema"

#Suspicious use of Active Directory tools:
(process_name:"dcdiag.exe" OR process_name:"netdom.exe" OR process_name:"nltest.exe") -process_command_line:"/v"


#Suspicious use of PowerShell:
process_name:"powershell.exe" -command_line:"Get-AD* -Filter" -command_line:"Get-Domain*" -command_line:"Get-Net*"


#Creating a "best" search query to detect threats in CrowdStrike would depend on various factors, such as your organization's threat landscape, the types of threats you are most concerned about, and the specific indicators of compromise (IOCs) associated with those threats. However, here is an example of a search query that could be useful in detecting threats:

event_type:"malware" OR event_type:"exploit_attempt" OR event_type:"credential_theft" OR event_type:"suspicious_process"


#Creating a "best" PowerShell hunt query for CrowdStrike

(Get-ChildItem -Path C:\ -Include *.ps1, *.psm1, *.bat, *.vbs, *.js, *.exe, *.dll -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "Invoke-" -Context 0,2).Context.PreContext[0] | Select-String -Pattern "[a-zA-Z]:\\.*" -AllMatches | Select-Object -Unique | ForEach-Object { $_.Matches.Value }


#Here is an example search query using the CrowdStrike Falcon platform to detect backdoor activity:

"event_simpleName:Backdoor AND event_type:Detection AND (actor_process_name:cmd.exe OR actor_process_name:powershell.exe OR actor_process_name:regsvr32.exe OR actor_process_name:rundll32.exe)"
